Factorizations of the Thompson-Higman groups, and circuit 

complexity 

Jean-Camille Birget * 
February 2, 2008 

Abstract 

We consider the subgroup lpGk,i of length preserving elements of the Thompson-Higman group 
Gk,i and we show that all elements of Gk,i have a unique lpGk,i • factorization. This applies 
to the Thompson-Higman group T^ x as well. We show that lpGk,i is a "diagonal" direct limit of 
finite symmetric groups, and that IpTk^i is a k°° Priifer group. We find an infinite generating set 
of IpGk.i which is related to reversible boolean circuits. 

We further investigate connections between the Thompson-Higman groups, circuits, and com- 
plexity. We show that elements of Fk : \ cannot be one-way functions. We show that describing an 
element of G^i by a generalized bijective circuit is equivalent to describing the element by a word 
over a certain infinite generating set of word length over these generators is equivalent to 

generalized bijective circuit size. 

We give some coNP-completeness results for Gk,i (e.g., the word problem when elements are 
given by circuits), and #'P-completeness results (e.g., finding the lpGk,i ■ factorization of an 
element of Gk,i given by a circuit). 

1 Introduction 

The Thompson groups, introduced by Richard J. Thompson |241 12UI 05] . and their generalization by 
Graham Higman |16) . are well known for their amazing properties and their importance in combina- 
torial group theory and topology. In this paper we focus on the computational role of these groups, 
continuing the work started in [21 E| , and we study some subgroups of the Thompson-Higman groups 
that are motivated by circuit complexity. We emphasize that we view the Thompson groups as a model 
of computation and not just a source of algorithmic problems. Indeed, since the Thompson group V 
has a faithful partial action on the set {0, 1}* of all bitstrings, it is natural to consider combinational 
circuits for computing elements of V; i.e., we can view every element of V as the input-output function 
of an acyclic digital circuit (see [3]). The elements of V are bijections, hence we will see connections 
between V and reversible computing. More precisely, words over certain generating sets of V will be 
seen to be equivalent to circuits made of (generalized) bijective gates. 

Combinational circuits have fixed- length inputs and fixed-length outputs, which is not the case for 
elements of V; but the notion of a circuit can be adapted in order to be applied to the computation 
of elements of V. Moreover, for bijective circuits the fixed length of inputs and outputs implies that 
the circuit is length preserving. This leads to the question what the length preserving elements of 
V are, and how arbitrary elements of V are related to length preserving elements of V. The length 
preserving elements of V turn out to form an interesting subgroup, called IpV, and we will show that 
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every element of V can be factored in a unique way as a product of an element of IpV and an element 
of the Thompson group F. This factorization carries over to the Thompson group T, where we have 
a unique IpT ■ F factorization. All of this generalizes to the Thompson-Higman groups Gf. 1 and i. 

The group lpGk,i is locally finite; it is a "diagonal" direct limit of finite symmetric groups, and it is 
simple when k is even; IpT^i is a k°° Priifer group. The connection with bijective (a.k.a. "reversible") 
circuits leads to an interesting infinite generating set of IpV . We show that a description of an element 
of Gj. % by a bijective circuit is equivalent to a description by a word over a certain infinite generating 
set of G/. i; bijective circuit size is closely related to the word size over a certain infinite generating set 
of Gjfc i. This shows that Gk,i (and especially V) can serve as a model for bijective computing, with 
equivalent complexity. 

We also investigate the computational complexity of some problems in Gt,\- We show that when 
an element <p G G^i is given by a bijective circuit (or by a general non-bijective circuit), the question 
whether (p is the identity, and the question whether ip is maximally extended, are coNP-complete 
problems; this is an application of [H] where Gk,i and its connection with circuits was used to construct 
a finitely presented group with coNP-complete word problem. We show that elements of Ff. i cannot 
be one-way functions, i.e., from a circuit for / G F^i one can easily find a circuit for And we show 
that when tp G G^i is given by a bijective circuit, the problem of finding the IpG^^i ■ F^i factorization 
of ip is ^^P-complete in general (and also under some restrictions). 

Definition of the Thompson-Higman group 

The rest of this Introduction consists of a brief, but complete, definition of the Thompson-Higman 
groups Gk,ii 7fc 5 i, and F/.^. We follow the exposition of [21 El, based on partial actions on finite words, 
which simplifies the connections with circuits. Compare with the definition in J2S] (based on infinite 
sequences), ^H] (based on automorphisms of certain algebras), (221 (based on words and similar to this 
paper, but with different terminology), |H| (based on finite trees), [1] (based on piecewise linear maps 
between real numbers, see also j2j), (related to associativity or commutativity in term rewriting, 
which was Thompson's original view). 

To define the Thompson-Higman group G^ l we fix an alphabet A of cardinality \A\ = k. Let 
A* denote the set of all finite words over A (i.e., all finite sequences of elements of A); this includes 
the empty word e. The length of w G A* is denoted by \w\; let A n denote the set of words of length 
n. For two words u, v G A* we denote their concatenation by uv or by u ■ v; for sets B,C Q A* 
the concatenation is BC = {uv : u G B,v G C}. A right ideal of A* is a subset R C A* such that 
RA* C R. A generating set of a right ideal R is a set C such that R is the intersection of all right 
ideals that contain C. A right ideal R is called essential iff R has a non-empty intersections with every 
right ideal of A*. For words u, v G A*, we say that u is a prefix of v iff there exists z G A* such that 
uz = v. A prefix code is a subset C Q A* such that no element of C is a prefix of another element of 
C. A prefix code is maximal iff it is not a strict subset of another prefix code. One can prove that a 
right ideal R has a unique minimal (under inclusion) generating set, and that this minimal generating 
set is a prefix code; this prefix code is maximal iff R is an essential right ideal. 

Partial functions on A* will play a big role. For / : A* — > A*, let Dom(/) denote the domain 
and let Im(/) denote the image (range) of /. A restriction of / is any function f\ : A* — > A* such 
that Dom(/i) C Dom(/), and such that fi(x) = f(x) for all x £ Dom(/i). An extension of / is any 
function on A* of which / is a restriction. 

An isomorphism between right ideals R±,R2 of A* is a bijection ip : R\ — > R2 such that for all 
T\ G R\ and all z G A*: p{r\z) = (p(rx) ■ z; the isomorphism <p can be described by a bijection between 
the prefix codes that minimally generate R±, respectively R2- 

One can prove that an isomorphism ip between essential right ideals has a unique maximal extension 
(as an isomorphism between essential right ideals), denoted max tp. So, max <p has no extension (other 
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than itself) to an isomorphism between essential right ideal. 

Finally, the Thompson-Higman group Gf-i is defined to consist of all maximally extended iso- 
morphisms between finitely generated essential right ideals of A*. The multiplication consists of 
composition followed by maximal extension: (p ■ if; = max(<^ o ip). Note that we let Gk,x act partially 
and faithfully on A* on the left. 

Thompson and Higman proved that Gki is finitely presented. Also, when k is even Gk,i is simple, 
and when k is odd Gf~x has a simple normal subgroup of index 2. 

Every element <p £ Gi~x can be described by a bijection between two finite maximal prefix codes; 
this bijection can be described concretely by a finite function table. When <p is described by a maximally 
extended isomorphism between essential right ideals, ip : R\ — > R2, we call the minimum generating 
set of R\ the domain code of <p, denoted domC (</?), and we call the minimum generating set of R2 
the image code of if, denoted imC(</?); because of the uniqueness of maximal extension, domC(92) and 
imC(p) are uniquely determined by p. We call the cardinality |domC(<y9)| = |imC(</?)| the table size of 
99, denoted \\p\\. In [2] it was proved that for all (p,ip £ Gk,x'- W^W < IMI + IIV'II- The concepts of 
domC(c^), imC(c^), table, and \\p\\, can also be used when <p is not maximally extended. 

For any finite generating set T of Gk,x and any <p £ Gk i, we define the word length of p over T as 
the length of a shortest word over ruT -1 that represents p; it is denoted by \<p\r- In pj it was proved 
that for any finite generating set T of Gk,i, the word length and the table size are closely related; for 
all ip £ Gk : i- c' \\(p\\ < \cp\r < c \\<p\\ log 2 \\tp\\ (for some constants c, c' > depending on T but not 
on <^). Asymptotically, for most p> € Gk,x we also have |(/j|r > c" ||(/?|| log 2 ||(/?|| (for some constant 
depending on T, < c" < c). However, for 99 £ F^x it was proved in [S] that c' < \<p\? < c 

We will use the well-known finitely presented subgroups F^^ and T^x of G^x, introduced in |24j 
and [El- The groups i^.i (also called F) and T2 t i (also called T) have a large literature; a few examples 
are [10], [101115], [tj, 0, [13], [7], [TO], 0, [0], DH, M Below we wil1 introduce the subgroups lpG Kl 
and IpTk^i of length preserving elements of Gk,x, respectively T^i. 

We will need the exact definition of F^^x and X/^i in the setting of partial actions on words (in A*), 
and to do so we need some preliminary definitions. Assuming that a linear order has been chosen for 
the alphabet A, we can consider the dictionary order on A*, denoted <d, and defined as follows. For 
any xx,X2 £ A* we say that xx <d £2 (i.e., xi precedes X2 in the dictionary order) iff either (1) xx is 
a prefix of X2, or, (2) letting p denote the longest common prefix of xx and X2, we have: xx = paxvx, 
X2 = PCL2V2, with ax < «2 (for some letters ax,a2 £ A, and words vx,V2 £ A*, where < is the strict 
order in A). 

A partial map / : A* — > A* is said to preserve the dictionary order iff for all xx,X2 £ Dom(/) we 
have: x x <d x 2 iff f(xx) <d f(x 2 ). 

We also want to define "cyclical preservation" of the dictionary order. Here we will simply write 
< for <d (strict dictionary order). A cyclical order of a finite maximal prefix code P C A* is a listing 
(xo,xx, ■ ■ ■ , £|p|_i) of all the elements of P such that for some integer s: (x s , . . . , x\p\-Xi x Gi ■ ■ ■ , x s-l) 
is the listing of P in dictionary order. In other words, a cyclical order of P is a cyclic permutation of 
the dictionary order on P. 

We say that a partial map / : A* — > A* cyclically preserves the dictionary order iff for all finite 
sequences (xq,xx, ■ ■ ■ ,x n -x) we have: (xo, Xx, ■ ■ ■ ,x n -x) is a cyclical order of some finite maximal 
prefix code iff (/(xo), f(xx), ■ ■ ■ , /(x n _i)) is a cyclical order of some finite maximal prefix code. 

The groups F^^x and T^i can be defined as follows, from the point of view of partial actions on 
finite words (see [1]). 

Definition 1.1 Assume that a linear order has been chosen for the alphabet A, where \A\ = k. Then 
Fk t x consists of the elements of G^i that preserve the dictionary order of A* , andT^^x consists of the 
elements of G^i that cyclically preserve the dictionary order of A* . 
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Another view of F^x'. The elements of F^i can be given the following interpretation. First we 
define the concept of a rank function on a (partial) order structure (S,<). The rank of an element 
t £ S is 

ranks (i) = \{x £ S : x < t}\, 

i.e., the number of elements that strictly precede t. Every element of <p E G^i can be represented 
(after appropriate restriction) by a bijective partial function ip : A* —* A* such that imC(<^) = A n for 
some n > 0, and domC(y) is some finite maximal prefix code of cardinality k n (where \A\ = k). If we 
view the elements of A n as the integers {0, 1, . . . , k n — 1} in base-A; representation we have: 

Fk i consists of all elements ofG^i that can be represented by rank functions 
rank P (.) : P -> {0, 1, . . . , k n - 1}, ' 

where n ranges over the positive integers, and P C A* ranges over all maximal prefix codes of car- 
dinality k n . This point of view will help us later in proving that elements of F}~\ can have high 
computational complexity, even when their domain code domC(y) has an easy membership problem 
(see Theorem 17. 16(1 . 

Overview: This paper consists of the following parts: 

Part 1 consists of sections 2, 3, and 4. We introduce the subgroup IpGf-i of length preserving 
elements of the Thompson-Higman group G^i, and we give the lpGk,i ■ i*fc,i factorization of Gf-,i; we 
generalize this unique factorization to other subgroups of G^x- 

Section 5 makes the transition from part 1 to part 2, by giving a connection between circuits and 
some properties of lpG^\. 

Part 2 consists of sections 6 and 7. We study V as a model for reversible circuits. We also investigate 
the complexity of some problems: We show that elements of F cannot be one-way functions, and we 
show that finding the IpV ■ F factorization of an element of V given by a circuit is ^P-complete. 

2 The subgroups lpGk,i and IpT^i 

The Thompson-Higman group G^ l contains all finite symmetric groups, and this inspires the definition 
of the subgroup IpG^i of all length-preserving elements of Gk } i- We will denote lpG^\ also by IpV . 
Another motivation of IpV, which we will develop more later, is the computation of elements of V 
and IpV by digital circuits. Indeed, circuits traditionally have a fixed length for inputs and a fixed 
length for outputs (corresponding to fixed numbers of wires); for bijective functions this means length 
preservation. 

Definition 2.1 The subgroup of length-preserving elements of the Thompson-Higman group Gp-i is 
lpGk,i = {</?£ Gk,\ '■ Vx G Dom(^), \x\ = \<p(x)\}. Similarly we define IpT^^ = T^i n lpGk,i- 

Restriction or extension of a length-preserving partial function A* — > A* , representing an element of 
Gfc,i, is again length preserving, so IpGk^ is well-defined as a subset of the group G^i- The inverse 
of a length-preserving partial function is also length-preserving. After a restriction, if necessary, any 
finite set of elements of IpG^x can be represented by permutations of the same set A m , for any large 
enough m. Hence lpGk,\ is closed under composition. It follows that lpGk,i is a subgroup of Gk,i- The 
group IpGk i is locally finite (i.e., every finitely generated subgroup is finite), and IpGki contains all 
the finite symmetric groups &A n , for all n > 1. 

Assume we restrict an element ip £ IpG^^i so that its domain and image codes are both A m for some 
m. Then the additional overall restriction operation (which replaces each <p(x) = y by the /c-tuple 
ip(xa) = ya, where a ranges over A) leads to the following embeddings: 
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where for all x E j4 n and a £ A we define (tt <8> idyi)(xo) = 7r(x) • a (where • denotes concatenation). 
This type of embedding of symmetric groups is called diagonal |3Uj . |15j . Moreover, when |^4| = k is 
even then the above embedding factors through the alternating group 

& A n ^ 21 C 6 

Indeed we have the following generalization of an observation of [23] ( see also Section 5 below): For 
any positive integer n and any n E &A n , the permutation ir id-A is even. Indeed, the transformation 
7r — > 7T ® id/t replaces one transposition of 7r (with u, u € ^4 n ) by the sequence of transpositions 
{ua\\va\) . . . (uak\vak), i.e., k transpositions with k even; here A = {a%, . . . , flfe}. 

The above embeddings yield the following. 

Proposition 2.2 The group lpGk,i is isomorphic to the direct limit of the sequence of diagonal em- 
beddings ®idA : &A n ► G^n+i . 

When \A\ = k is even, IpG^^i is isomorphic to the direct limit of the sequence of embeddings 
c 6 

These are examples of the direct limits of symmetric groups considered in |17j . chapter 6, and in 
|15j . section 1.5. The embedding maps are of "diagonal" type, in the terminology of these references. 
By these references we also conclude that when k is even, IpG^i is a simple group, and when k is odd, 
lpGk,i has a simple subgroup of index 2 (via the parity map). In any case, it also follows from |17j 
and [E] that lpGk,i is different from the finitary symmetric group and the finitary alternating group; 
indeed, the finitary symmetric group does not contain any Priifer groups, whereas lpGk,i contains 
IpT^i which is a group of Priifer type (as we shall see next). However, IpGj-i also contains many 
copies of the finitary symmetric group (as was mentioned in 25 .). 

The observations above apply also to the Thompson group J]^. Let us denote by Z^n the cyclic 
subgroup of &A n generated by the permutation wi h-> ttVi+i) mo d fc n > where (wi : i = 0, 1, . . . , k n — 1) 
is the listing of A n in dictionary order. Z^n consists of the elements of &A n that cyclically preserve 
the dictionary order. Just as for the symmetric groups on A n , the restriction operation of Gk,i gives 
an embedding of "Lap- into Z^n+i, by the transformation ®\&a which sends the generator (wi i— > 
^(i+i)modfc") of Z A " to the element (vj i-> «tf + k) mo dk»+ 1 ) of Z A „+i. Here, (vj :j = 0,1,..., k n+1 - 1) 
is the listing of A n+1 in dictionary order. Thus we have: 

Proposition 2.3 The group IpT^x is isomorphic to the k°° Priifer group, given by the direct limit of 
the sequence of embeddings Z^« Z^n+i, where the embeddings are determined by the restriction 
operation of G^i . 

The k°° Priifer group is isomorphic to the multiplicative group of the complex k n t\i roots of unity 
(for all n > 0), or the additive group of fc-ary rationals modulo 1, i.e., {fk mod 1 : n,m G N}. 

3 Length-preserving order-preserving factorization of Gk,i and Tk \ 

Let 1 denote the identity of 

Lemma 3.1 If an element of F^i has a representation f : A* — > A* such that domC(/) = imC(/) 
then f represents the identity. Hence, Fk,\ D lpGk,\ = {!}• 
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Proof. Since domC(/) = imC(/), / is a permutation of domC(/). For any finite set of words, the 
only permutation that preserves the dictionary order is the identity. 

We saw already that every element <p G lpGk,i can be represented by a permutation of A m for 
some m > 0, so domC(v9) = imC((/?) for every ip G lpGk,\- □ 

Theorem 3.2 . 

• We have G^i = IpG^i ■ P& i where every element ip of Gk,i has a unique factorization ip = tt ■ f 
with tt G lpGk,i and f G Pfc,i. 

• Symmetrically there is a unique factorization Gk,i = Pfc,i ■ lpGk,\- 

• For Tk,\ there are unique factorizations T^i = IpT^i ■ F^ i = i^.i • IpT^^. 

Proof. Uniqueness of the factorization follows immediately from Lemma 13.11 If 7Ti/i = ^2/2 then 
tt^tti = fafi G Fk,xC\lpGk,x = {1}, hence tt^^x = 1 = /2/j - . Existence follows from the following 
factorization algorithm, whose input is any ip G Gfc i- 

Factorization algorithm: 

(1) Restrict ip so that its image code becomes A n for some n > 0. Let P be the corresponding 
domain code (of cardinality k n ). So now <p is represented by a bijection P — > A n . 

(2) Let / : P — > j4 n be the unique element of P^ 1 determined by the finite maximal prefix codes P 
and A n . 

(3) Let 7r(.) = 99 then 99 = 7r/. [End of algorithm.] 

We claim that tt G lpGj~i. Indeed, the domain code and the image code of ir are both A n ; hence 
it preserves length. 

In the case of 1 we observe that if <p G Tj. 1 then the unique factorization ip = tt f yields 
7r = ip f~ l G T fcj i (since ip G Xfc,i and P fc)1 C T k} {). □ 

Observe that / G Pfe 1, produced by the factorization algorithm, is the ranking function of P, when 
we view A n as the integers {0, 1, . . . , k n — 1} in base-/c notation. 

We will examine how the table sizes of tt G IpG^i and / G P& 1 are related to the table size of <p 
when ip = tt f. It turns out that tt and / can have exponentially larger size than ip. In a later section 
we'll consider other complexity measures for tt and /. 

Proposition 3.3 For all n > 2 there are elements <p n G T21 whose factorization <p n = TT n f n leads 
to an exponential increase in table size. More precisely, ip n can be found so that \\ip n \\ = n, and 

Proof. Let us pick (p n G T21 given by the following table, over the alphabet A = {a, b}: 

T a n ~ l a n ~ 2 b ... a { b ... a 2 b ab b 
^ n ~ [ a n ~ 2 b a n ~% . . . a l - x b ... ab b a 11 - 1 

So, cp n is a cyclic permutation of the finite maximal prefix code {a™ -1 } U {a l b : i = n — 2, . . . , 1,0}. 
One observes that ip n is reduced (unextendable) as given by the table, hence \\<Pn\\ = n - 

The longest words in the image code of <p n in the above table have length n — 1. When we restrict 
ip n and let its image code become {a, b} n ~ l we obtain the following table of size 2 n_1 for ip n , where 
Xj ranges over {a, 6} J (for j = 1, . . . , n — 2): 

_ a n_1 a n ~ 2 bx\ . . . a l bx n ^i-\ . . . a 2 bx n -z abx n _2 b 
a n ~ 2 b a n ~ 3 bxi . . . a* _1 6x n _j_i . . . a6x n _ 3 bx n -2 a n_1 
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Then in the factorization <p n (.) = 7r n / n (.) we have: 



f a 



,n-l 



a n ~ 2 ba 
a n ~ 2 b 



a n - 2 bb 
n ~ 3 ba 



a 



Q i ba n-i-l 
a i bb n-i-2 



a l bs(x n -i-i) 
a J_1 6x„_,;_i 



a i-l ba n-i 
l i-l bb n-i-l 



a 2 ba n 3 a 2 bs(x n -z) aba n 2 abs(x n ^2) b 
... a 2 bb n ~ 4 abx n - 3 bb n ^ bx n - 2 b n ~ l 

where each Xj ranges over {a, b} J — {&}, and where s(xj) denotes the successor of Xj in the dictionary 
order; hence, s(xj) ranges over {a, 6} J — {a- 7 }. In the table, the strings Xj and the strings s(xj) appear 
in dictionary order. We also have 



7T.„ 



b n 



a 
a 



n-l 
2 J, 



a 



a n - 2 b 
3 ba 



a'° 6 ba 
a n ~ 3 bb 



a 



a i bb n-i-2 



a 1 1 bx n - 
i l ~ l bs{x n - 



a 2 bb n 4 a 2 6x n _3 abb n 3 bx n - 2 
aba n ~ 3 abs{x n ^) ba n ~ 2 bs{x n -2) 

where the words xj and s(xj) range over the same values and have the same meaning as for /„. 

One sees in the table of ir n that for every argument x, ir n (x) differs from x in the right-most letter: 
whenever x ends in a, vr„(x) ends in b, and vice versa. Hence, 7r n as given by the table, is reduced 
(cannot be extended). Hence, ||7r n || is the size of the above table, i.e., 2 n ~ 1 . Similarly, in the table for 
f n , x and f n (x) differ in the right-most letter, except when x = a™ -1 or x = b. Hence /„ as given by 
the table is reduced, and ||/ n || = 2 n ~ l . □ 



4 Other factorizations of Gk,i and T^i 

We will give an infinite collection of torsion subgroups S of G k ,\ that can be used for factoring G k ,\ 
as S ■ F kjl . 

If P C A* is a finite maximal prefix code then for every n > 0, the overall restriction operation in 
Gk,i determines a diagonal embedding 

®id^ : vr G 6 pa™ vr <g> id^ € & pa™+ 1 
where (it <8> id^xa) = ir(x) ■ a, for all x G PA n , a G A. This is a generalization of the embedding &A n 
S^n+i that we saw earlier (which was the special case when P consists of just the empty word). 
We then take the direct limit of this sequence of symmetric groups and obtain a subgroup of G^i, 
denoted by 

U„>1 &PA™- 

Just as for lpGk,i, when k = \A\ is even the group Un>i ®PA n is simple, and when k is odd the group 
has a simple subgroup of index 2 (via the parity map). 

Theorem 4.1 If P C A* is a finite maximal prefix code then S = \J n> i &PA n is a subgroup of 
Gk,i, and we have Gk,i = S ■ i*fc,i. Moreover, S n F^i = {1}, hence we have a unique factorization. 

The group T k \ has the subgroup Z = IJ n >i ^PA n and we have T kj i = Z • F^i, with unique 
factorization for every element o/T^i. 



7 



Proof. Every element p of &pa™, as an element of Gk,i, has finite domain and image codes that are 
the same: domC(y) = imC(p). Hence by Lemma l3~Tl if ip G F^i then p = 1. Hence, S 1 PI F^i = {1}, 
which implies uniqueness of the factorization as we saw in the beginning of the proof of Theorem 13.21 

To prove existence of the factorization we use the same factorization algorithm as in the proof 
of Theorem 13.21 Let cp' : Pi — > Q\ represent any element of Gf-i, where Pi and Q\ are finite 
maximal prefix codes. Then by restriction we obtain a representation of the same element of the form 
p : P2 — > PA n , where it suffices to choose n such that PA n A* C QiA*; since P and Q\ are finite 
maximal prefix codes, such an n exists. The remainder of the proof follows from the same idea as for 
Theorem 13.21 We let / : P2 — > PA n be the (unique) element of F^i determined by the finite maximal 
prefix codes P2 and PA n , and let ir = ip / , then domC(-7r) = imC(7r) = PA n , hence it G 6pyi». 

When tp G T^i the unique factorization p = ir f satisfies tt = p f~ l G T^i (since F^i C Pfc,i), 
hence vr G T k}1 n S = Z. □ 

Higman (in )16|. Section 6) shows that the question whether a given element of G^i has finite 
order, is decidable. The following theorem shows that every element of finite order of Gk,i belongs to 
some subgroup 6p, for some finite maximal prefix code P. Note that domC(</?) = imC(<^) = P iff 
(p G & P . 

Theorem 4.2 Let $ G Gj-i- Then <E> /ias finite order iff for some restriction ip of $ we have 
domC(<^) = imC(p). 

Proof. If domC((/3) = imC(99) = P then cp G (Sp, hence (/? has finite order. 

Conversely, suppose that $ is of finite order r, i.e., 3> r (.) = id(.) with r > 0, and 3> l (.) 7^ id(.) for 
< i < r. By sufficiently restricting $ we obtain maximal finite prefix codes Po, Pi, . . . , P r C A* such 
that for some restriction p : yl* — > j4* of $ we have Po Pi -^-> . . . — P r -i — — > Pr, and 
ip{Pi) = Pj+i for i = 0, 1, . . . , r — 1. Since <//(.) = id(.) it follows that Po = P r . 
Claim: For every x G Po, C x = {ijo l (a?) : i = 0, 1, . . . , r — 1} is a prefix code. 

(Note: We only claim that no two <p l {x) are strict prefixes of each other; we do not rule out that 
p l (x) = <fj(x) for some < i ^ j < r.) 

Proof of the Claim. If, by contradiction, we have p i {x) = x z, for a non-empty word z G A* and 
x G Po, then for all m > we have: p> m ^(x) = xz m . This implies that (J^=o ^ contains words of 
arbitrarily large length, which contradicts the fact that the prefix codes Pi are finite. 

It follows that when i > j then p 3 {x) G Pj cannot be a strict prefix of p l (x), since applying p~~ 3 
to p l {x) = pi(x) z yields ip l ~^(x) = x z. 

Similarly, if we have p l (x) = p-'(x) z for a non-empty word z G A* and x G Po and if i < j then, 
applying ip r ~ J yields p r+l ~ :, (x) = x z, and the reasoning in the first paragraph (with £ = r + i — j) 
again yields a contradiction. We conclude that <p l {x) and <p>>{x) cannot be strict prefixes of each other. 
[End, Proof of Claim.] 

The Claim implies that p(C x ) = C x and that C x is a cycle of <p. For each x G Po we have a cycle 
C x as above. For different x G Po the corresponding cycles yield either the same set or disjoint sets, 
i.e., for each x,y G Po, either C x = C y or C x n C y = 0. So, Po is partitioned into cycles of p, hence 
p(P ) = P . □ 

As a consequence of Theorem 14.21 and Lemma 13.11 we recover a result of Brin and Squier [I]: 
Corollary 4.3 The group F^x is torsion-free. 

Theorem 4.4 If P\,P2 C A* are finite maximal prefix codes let Si = Un>o®^i^ n f or ^ = 1 or 2. 
We have: 
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Si = S 2 iff {PiA n : n > 0} D {P 2 A m : m > 0} / ; 
When Si ^ S 2 , the subgroup generated by Si U S 2 contains infinitely many elements of F^ i. 

Proof. If P X A N = P 2 A M for some M, N > then S x = Un>o e A^ n = Un>o e PiA^A™ , since 
®PiA* e— * SpiA^ when i < N. Similarly, Um>o ®P 2 A M A n = ^2- Now, since = P 2 A M we have 

Un>o SpiA^A" = U m >o ®PjA M A n > hence Si = S 2 . 

In the other direction, under the condition {PiA n : n > 0} D {P 2 A m : m > 0} = we will prove 
that the subgroup of Gk,i generated by S\ and 52 together contains some non-identity elements of 
Ffc i. Since S\ and S 2 are torsion groups whereas F/^i is torsion- free, this implies that Si 7^ S 2 . 

Claim. There exist n ,m > such that PiA n ° n P 2 A m ° ^ 0, and Pi^ n ° ^ P 2 ^ m °- Moreover, 
there are v% G PiA no — P 2 A m ° and t>2 € P 2 A m ° — P\A n ° such that i>i is a strict prefix of t>2. 
Proof of the Claim: First, since each P\ is a finite maximal prefix code, every long enough word 
belongs to P±A*; e.g., every word w G A* of length > max{|p| : p G Pi} belongs to P\A* . Therefore, 
for all m large enough (e.g., all m > max{|p| : p G Pi}) we have P 2 A m C Pi_A*. Let mo > be such 
that P 2 A m ° C Pi ^4*, and let us consider the possible n > such that P 2 A m ° C P 1 A n A*. For every 
P2^ G P 2 A m ° there exists exactly one p\v G PiA™ such that p\v is a prefix of p 2 u. If piu 7^ p2^> we 
can increase the length of v (i.e., increase n) to move p\v closer to p 2 u, until p\v = p 2 u. Thus, there 
exists n such that PiA no n P 2 A m ° / 0. 

Finally, PiA n ° / P 2 A m ° by the hypothesis that {Pi^4 n : n > 0} n {P 2 A m : m > 0} = 0. Since 
PiA ao 7^ P 2 A m ° and since PiA no and P 2 A m ° are finite maximal prefix codes, PiA n ° and P 2 A mo are 
not strict subsets of each other. Hence there exist W\ G P\A n ° — P 2 A m ° and v 2 G P 2 A m ° — P\A n ° . 
Moreover, since P 2 A m ° C PiA no A* we have: For any v 2 G P 2 A m ° there exists «i G P\A n ° such that 
t>i is a prefix of t>2. Since v 2 £ PiA no , v% is a strict prefix of v 2 . [This proves the Claim.] 

We will now construct an element 71 G Si whose S 2 ■ F^i factorization is of the form 71 = ir 2 f 
with / 7^ 1. From this we obtain two elements 71 G Si and ir 2 G S 2 such that vr 2 " 1 7i = / G F^ 1 with 
/ •• 1- 

Since PiA n ° n P 2 A m ° / 0, there is ui G PiA no n P 2 A m °. Using ui and the words v\ and f 2 from 
the Claim, we now define 71 = {ui\vi); i.e., 71 is the permutation of PiA n ° that transposes the two 
words ui and v%, and fixes the rest of PiA no . 

By Theorem 14. 1| 71 = ir 2 f for a unique ir 2 G S 2 and / G P^i- The factorization algorithm 
given in the proof of Theorem 14.11 finds tt 2 and / by restricting 71 so that its image code becomes 
imC(7i) = P 2 A m °; the image codes of / and of ir 2 (not necessarily maximally extended), as well as 
the domain code of tt 2 , will also be P 2 A m ° . The table of 71 is 
ui vi identity on 

71 I Vi Ui PiA n ° - } ' 

By restricting so as to make imC(7i) = P 2 A m ° we obtain a table of the form 

UlZ ... Vi 

I ... V\Z (=V 2 ) ... Ui 

Here z G A* is such that v 2 = viz and z is non-empty (recall that vi is a strict prefix of v 2 ). Hence for 
this restriction of 71,^2 and / we have: domC(7i) = domC(/) contains uiz. But since ui G P2^4 m ° 
and since P 2 A m ° is a prefix code we find that uiz £ P 2 A m ° = imC(/). Hence, domC(/) 7^ imC(/), 
therefore / is not the identity. Since Ff. 1 is torsion-free, the conclusion follows. □ 

Theorem 4.5 If Pi,P 2 C A* are finite maximal prefix codes let Si = Un>o ®PA n for i = 1 or 2. // 
IPi-A^I = |P2A M | for some N,M > then as subgroups of Gk,i, Si = 9~ 1 S 2 9 for some 9 G Pfe,i- 
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Proof. Let 6 be the element of F kl such that : P 1 A N -> P 2 A M ; then 6 can be restricted such that 
6 : P 1 A N A n -» P 2 ,4 M A n for all n > 0. Then as subgroups of G M , S x = 6~ l S 2 9. □ 

Element-specific factorizations 

For any element <p G G^i with domC(c^) = P and imC((/j) = Q we can apply Theorem 14.11 to obtain 
the factorizations (p(.) = ttq /(.) = / vrp(.), where / : P — > Q belongs to Pfc.i, vtq G Sq and irp G 6p. 
Moreover, 6p = / _1 Sq /. Note that in this factorization, ||/||, ||7tq||, ||vrp|j < \\<p\\. 

If tp,ip G are such that domC^) = P, imC^) = Q = domC(V>), and imC(V>) = R, then 
(since domain and ranges match) we have the following multiplication formula for the factorization of 

If^(.)=vr^^andV(.)=4/ ,/;then ^ = * /(■)> where * = e ©p, 

and f = f*fv £P M . 

Questions left open: What are all the torsion subgroups of Gp-i? What are all the torsion, non- 
torsion, or torsion-free subgroups S of G/^i for which there is a unique factorization G^i = S ■ P& i? 
Are the groups |J n>0 Sp^n and |Jn>o ©P2^ n non-isomorphic if they do not obey the conditions of 
Theorem 14. 5f 

5 Generators of IpV and reversible computing 

We are interested in the computation of elements of V and of IpV by circuits. For general information 
on circuits see j^Hl HE] ; good references on reversible circuits are ^1 H3 HHl • We will use the 
following fundamental results from the field of reversible computing: 

• (V. Shende, A. Prasad, I. Markov, J. Hayes [23]) Every even permutation of the set {0, l} n can be 
computed by a circuit constructed only from bijective gates of type not, c-not, CC-not. 

The gates not, c-not, CC-not are well known in the field of reversible computing, and are defined 
as follows: 

NOT: x £ {0, 1} i — > x € {0, 1} is the usual negation operation; 

C-not: (x, y) G {0, l} 2 i — ► (x,y®x) G {0, l} 2 is the controlled not, also called the "Feynman gate"; 

CC-not: (x, y, z) G {0, l} 3 i — > (x, y, zQ(xSzy)) G {0, l} 3 is the doubly controlled NOT, with © denoting 
the usual exclusive OR (i.e., addition modulo 2), and &; denoting the logical and (i.e., multiplication 
modulo 2). The doubly controlled not is usually called the "Toffoli gate" [T2l l2fil [27| . 

• |23| For any positive integer n and any permutation ir G &2 n , the permutation 

(xi,...,x n ,x n+1 ) G {0, l} n+1 i — > 7r(xi, . . . , x n ) ■ x n+ \ G {0, l} n+1 

is even. Here, "•" denotes concatenation. Indeed, one transposition (u\v) (with u,v G {0, l} n ) is now 
replaced by (u0\v0) (ul\vl) (i.e., two transpositions). 

As a consequence, every odd permutation of {0, l} n can be computed by a circuit that only makes 
use of bijective gates of type NOT, C-NOT, CC-not, and that uses an extra identity wire x n+ \ i— > x n+ \. 

• (T. Toffoli |26| I27j) An odd permutation of {0, l} n cannot be computed by any circuit containing 
only bijective gates with fewer than n input-output wires. Hence for odd permutations, the extra 
identity wire is necessary for bijective computing with a finite collection of gate types. 

The above results have some interesting consequences for the group IpV: 

First, the overall restriction operation for elements of the Thompson group V (which replaces each 
(p(x) = y by the pair tp(x0) = yO, <-p{xl) = yl for all x in the domain of (p) now receives a very concrete 
interpretation for elements of IpV: For an element if of IpV, the overall restriction is equivalent to 
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adding an identity wire at the "bottom" of the circuit (i.e., at the right-most position for boolean 
variables). 

Second, another consequence of the above concerns the generators of IpV . Let N, C, T be the 
partial maps {0, 1}* — > {0, 1}* defined as follows, where w € {0, 1}* is any bitstring; N : x\w \— > x\w, 
C : x\X2W i — > x\(x2 (Bxi)w, and T : X1X2X3W 1— > X1X2 (23 © (x2&xi)) w. These maps are just 
the NOT, c-not, CC-NOT gates, applied only to the first (left-most) bits of a binary string. We leave 
N, C, T undefined on bit strings that are too short. 

Note that the engineering convention consists of using the same name (e.g., "not", "c-not", etc.) 
for the same operation on different variables in an sequence of variables. But this convention would not 
be correct in our setting; e.g., negating the first bit in a string is different from negating the second 
bit. In order to implement the operations N,C,T on all bit-positions, i.e., in order to obtain the 
gate types not, c-not, CC-not in the engineering sense of the word, we also introduce the position 
transpositions Tij : {0, 1}* — ► {0, 1}* (where 1 < i < j), defined by 

Tij : uxiVXjiv 1 — ► u Xj v Xi w, 

where u,v,w € {0,1}*, \u\ = i — 1, \v\ = j — 1 — i; and we leave Tjj(s) undefined when \s\ < j. 
Note that Tjj does not transpose a pair of words € {0, 1}*, but boolean variables (or positions within 
words). 

Proposition 5.1 The group IpV is generated by the set {N,C,T} U {Tj^+i : 1 < i}. More generally, 
lpGk,i is generated by U {t^+i : 1 < i} for some finite set IV 

The finite alternating group 2l2« (acting on {0, l} n ) is generated by the set {N,C,T} U {th+i : 
1 < i < n}. 

Proof. The Proposition is immediate from the above observations, and in particular the work |2M| . 
□ 



Application: An intuitive generating set for V 

The IpV ■ F factorization, together with the nice generating set given above for IpV enables us to 
find a finite generating set for V with a nice "physical" interpretation. It follows from the IpV ■ F 
factorization that {N, C, T} U {t^+i : 1 < i} U {a,a%} is a generating set of V, where {a, a±} is the 
generating set of F given in 9 a with tables 

100 101 11 
10 110 111 ' 

We will see that o~\ is a "controlled lowering" of a (defined below). In [2] we saw that a can be viewed 
as the Z-shift n l h-> O™" 1 !, 01 h-> 10, l n h-> l n+1 0, on the maximal prefix code 0*01 U 1*10. 

Since V is finitely generated, only a finite subset of {t^+i : 1 < 1} will be needed for generating 
V. Surprisingly, it turns out that in the presence of the other generators, the Toffoli gate T will not 
be needed for V. In detail we have: 



a 



00 01 1 
10 11 



0-1 



Proposition 5.2 The Thompson group V is generated by the finite set {N, C, T12, o~, where 
N is the NOT gate applied to the first wire, C is c-not (controlled not, a.k.a. Feynman gate) applied 
to the first two wires, t\ % is the transposition of the first two wires, and a, o~\ generate the Thompson 
group F. 



Proof. We start out with the Higman generators k, A, fj,, v of V (see 16 ), whose tables are 




1 



00 
00 



01 
1 



1 

01 




10 



10 




11 
11 



00 
00 



01 
10 



10 
01 



11 
11 



11 



We see that n = N and v = t\2- For A and fi we apply the IpV ■ F factorization algorithm, which 
leads to 



A(.) 



00 01 10 11 
00 10 11 01 



00 010 011 1 
00 01 10 11 



(.) 



The right factor belongs to F, hence it is generated by {a, o*i}. It is easy to check that the first factor 
is equal to ■ C(.); recall that C has the table jjj 11 10 = 11 10 ' 

A similar calculation leads to a factorization //(.) = n 2 ■ C ■ 7*1,2 • N ■ 7*1,2 ■ /(■), f° r some f £ F. 



□ 



The lowering operation 

The following operation, inspired by circuits, gives further insight into IpV and F. For any integer 
d > we define 

if G G k) i 1 — ► (y)d G G fci i by 

(<£>)d(zx) = z tp(x) for all 2 G A , x G Dom((/j). 

Recall that A^ is the set of all words of length d over A. It is easy to see that for each d > 0, the 
operation ip — ► (c/j)^ is an endomorphism of G^i, which is injective but not surjective; it is also an 
endomorphism of lpGk,i, of Fk i, of T^i, and of IpT^^. 

The circuit interpretation of the operation ip —* (93)^ is that the "gate" 99 is lowered by d positions 
in the circuit through the introduction of d identity wires on top of the "gate" ip (i.e., at the left 
end of the list of input variables). While p is applied to the boolean variables x±,X2, ■ ■ •, the lowered 
gate will be applied to the variables Xd+i, Xd+2, ■ ■ ■■ This is commonly done in circuits, as it allows the 
designer to place gates at any place in the circuit. In electrical engineering, traditionally no distinction 
is made between a gate; e.g., the c-not operation and its lowerings are all just called "c-not gates". 
The lowering operation is an important link between circuits and their representation by groups or 
monoids of functions. 

The lowering operation can be expressed in terms of the transpositions Tj^+i, although the formula 
depends on the length £ of the longest word G A* appearing in the table of <p. We have: = 
7T _1 ip 7r(.), where it is the following permutation of bit positions: 

/ 1 2 ... I d+1 d+2 ... d + 
[d+l d + 2 ... d + l 1 2 ... I 



If if d+ 1 > I then vr(.) 



Ifd+l<^then tt( 



1 2 

l+£ 2 + £ 



d 
d + - 



d+l d+2 
1 2 



d + 



When we write elements of G/. % as elements of the Cuntz algebra Ok (according to (21 and |21|). 
we see that the lowering operation is an endomorphism of Ok given by the formula 

1 G Ok 1 ► (i)d = H z& A dZ 7Z g o k . 

Note that all transpositions of variables (or wires) r^j+i are obtained from the transposition of 
variables 7*1,2 by Tj^+i = (7*1,2)?:-! • So, the lowering operations, together with a finite set of elements 
of lpGk,i, yields a generating set of lpGk,i- For Gk,i we already saw that the transpositions of variables 
are redundant as generators (since Gf- t i is finitely generated), but that the use of the transpositions of 
variables shortens the word length; we will see (Theorem 17. 5[) that when the transpositions of variables 
are added to a finite generating set of G^i then the word length becomes approximately the same as 
the bijective-circuit complexity. For F^i it will be interesting to consider generating sets of the form 
r U Ud>iCOd> where V is any finite generating set of F^i, and where (T)d = {(f)d ■ f G T} (see the 
open problems at the end of Section 6). 
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We can define the controlled lowering operation; we fix any string c £ A*, called the "control 
string" and define 

<P G Gk,i 1 — ► (v)c G G k ,i by 

(ip) c (cx) = c p(x) for all x G Dom^), and 

(y)c(pa) = pa where p < pre f c, a £ A, pa ^ pre f c; 
so here p is any strict prefix of c (i.e., p / c), and a G A is such that pa is not a prefix of c. So, 
domC((^) c ) = c-domC(y?)U {pa : p < pre f c, a € A, pa ^ pre f c}, and imC((9?) c ) = c-imC(<^)U 
{pa : p < pref c, a£i, pa ^ prc f c}. 

It is easy to see that for each c & A* , the operation ip — > (</?) c is an endomorphism of Crfc,!, which 
is injective but not surjective; it is also an endomorphism of lpGk,i, of of T^i, and of lpTk,\- In 
Cuntz algebra notation, the operation takes the form 

7 G O fc i — ► (7) c = C7C+ e °fc- 

where p ranges over the strict prefixes of c and a ranges over the letters of A such that pa is not a 
prefix of c. In Ok the controlled lowering operation is a multiplicative endomorphism, but it is not 
additive. 

Observe that for the generators {a, o~i} of F seen before, the second generator is the controlled 
lowering of the first with control string 1; this explains our notation for a\. 

6 Generalized word problem, distortion of F^i and lpGk,i in Gk,\ 

Proposition 6.1 Over any finite generating set of Gk,i the generalized word problem of F^ x in Gk,i 
can be decided in cubic deterministic time. 

Similarly, over any finite generating set of Gf-,1 the generalized word problem of lpGk,i in Gf-,1, 
and more generally, the generalized word problem of (J <3pA m in G^i (for any finite maximal prefix 
code P) can be decided in cubic deterministic time. 

Proof. By Proposition 4.2 of |2j, if <p is given by a word of length n over a finite generating set of 
Gk,i then a table for p> (not necessarily maximally extended) can be computed in time 0(ra 3 ). By 
Proposition 3.5 of [2], the length n provides a linear upper bound on the size of this table. Also, every 
table entry has length < c n. More precisely, the table has the form ((xi,y\), . . . ,(xn,Vn))i where 
\xi\, \yi\,N < c n (for some constant c > 1). The sets {xi, . . . ,x^} and {y±, . . . ,yjv} are maximal 
prefix codes, and <p(xi) = yi for i = 1, . . . , N. 

To check whether ip belongs to F^i we first sort the table according to the input entries, with 
respect to dictionary order; more precisely, we sort the pairs of the table ((x±, yi), . . . , (sjv, Vn)) 
according the x-coordinates, in time < 0{n 2 log n); indeed, there are 0(n log n) sorting steps, and 
since each word has length < c n, each word comparison takes time 0(n). Then we check whether the 
resulting x-sorted table is now also in sorted form regarding the y-coordinates; this takes quadratic 
time, as there are 0(n) words of length 0(n). 

To check whether ip belongs to lpGk,i we check, in time < 0(n 2 ), that \xi\ = \yi\ for i = 1,... } N. 
And to check whether p belongs to (J m S PA m we note first that P is a fixed finite maximal prefix 
code, independent of p. We restrict tp so that every table entry receives length > max{|p| : p 6 P}. 
This multiplies the table size of p by a constant, at most (since P and max{|p| : p E P} are fixed). 
So we can assume that each Xj and yi in the table of <p has a prefix in P. Now for xi, find the prefix 
pi G P of xi, so x\ = p\S\ for some s\ G A*, and let niQ = \s\\. Thus, p belongs to \J m 6pA m iff 
p G & pA m o ■ So, we now write each Xj and each y^ in the form p s with p G P and check that \s\ = mo; 
this holds (for all s obtained) iff cp G &PA m o- Checking this takes time < 0(n 2 ). □ 
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Since lpGk,i H i^i = {1}, we have the following equivalence: w = 1 (as elements of C?fc,i) iff 
u) E IpG^i and u; E Thus, the word problem of G^i reduces (by a one-to-one linear-time 

reduction) to the conjunction of the generalized word problem of IpG^^i in G^i and the generalized 
word problem of Fk,i in Gk,i- (Here, the reduction function is just the identity map.) The same is 
true with IpGf-i replaced by (J 6p^m (for any chosen finite maximal prefix code P). 

Hence, the deterministic (or nondeterministic, or co-nondeterministic) time complexity of the 
word problem of G^i is a lower bound for the deterministic (respectively nondeterministic, or co- 
nondeterministic) time complexity of the generalized word problem of (J &pa™ in Gj. \ or the gener- 
alized word problem of F^i in Gki, or both. More formally, we have the following: 

Definition 6.2 We say that a language (or decision problem) L is as hard as coNP iff there is a 
coNP- complete problem Lq such that for every function t(.) that is a deterministic time complexity 
lower bound for infinitely many instances of Lq we have: Some function > c ■ t(.)) is a deterministic 
time complexity lower bound for infinitely many instances of L (for some constant c > 0). 

Definition 6.3 Let G be a group with generating set A. Suppose every generator a E A has been 
assigned a "length" \a\ E N. Typically, if A is finite then \a\ = 1 for all a E A. For the position 
transpositions Tij (1 < i < j) we take = j. 

The length of a word w = a%. ..a n over A is defined by \w\ = X]j=i \ a j\- 

The word length l^l^ of g E G over A is defined to be the shortest length of any word (over A) 
that represents g. 

For a group with generating set A we often say "a word over A" when we actually mean "a word over 
A U A~ lv ; we will also use the notation A ±l for A U A" 1 . 

Proposition 6.4 Let T^i be a finite generating set of Gt,i but suppose that elements of Gk,i are given 
over the infinite generating set T^i U {t^j : 1 < i < j}. Then the generalized word problem, in Gk i, 
of either F^^i or lpGk,i, or both, is as hard as coNP. 

Similarly, if P E A* is a finite maximal prefix code then the generalized word problem, in G^^i, of 
either Fk^i or [j n &PA m , ° r both, is as hard as coNP. Moreover, these problems are in coNP. 

Proof. The word problem of Gk,i over the generating set T^i U {t^j : 1 < i < j} is coNP-complete 
0. The hardness then follows from the above conjunctive reduction. □ 

Definition 6.5 Let G\ be a group with generating set A\, and let G2 be a subgroup of G\ with 
generating set A2. A function f : N — > N is called a distortion function for G2 within G\, with 
respect to the generators A\, respectively A%, iff for all 52 E G2: \g2\A2 ^ /(Ifl^Ui)- 

The distortion function of G2 within G\, with respect to the generators A\, respectively A2, is the 
smallest distortion function. 

Proposition 6.6 If we use finite generating sets for both Gk,i and Fk t i then F^i has linear distortion 
in G k}1 . 

Proof. For any element g E G/^i we have \\g\\ < c\ \g\c, by Proposition 3.5 of [2J; here, ||<jf|| is 
the table size of the element g, c\ is a positive constant, and |<7|g is the word length of g over some 
chosen, fixed finite generating set of Gk,\- By Theorem 2.5 of \g\p < C2 \\g\\, where C2 is a positive 
constant, and \g\F is the word length of g over some chosen, fixed finite generating set of F^^. Hence, 
\g\F < c\C2 \g\c-, so the distortion of F^^i in G^i is linear. □ 

Problems left open: 
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1. Over the generating set T^i U {tij : 1 < i < j} of Gk,i, are the generalized word problems of the 
subgroups lpGk,i, and [j n &PA n each coNP-complete? 

2. We saw that IpV is generated by {N,C,T} U {t^+i : 1 < i}. What is the distortion of ZpV (over 
this generating set) within the Thompson group V (with V over the generating set Ty U {t^+i : 1 < i}, 
where is any finite generating set of V)? We will see in the next Section that this distortion has a 
close connection to the relation between different kinds of bijective circuits. 

3. We saw that F is generated by a two-element set {a, <7i}, and hence also by {(o~)d, {°~i)d '■ d > 0}. 
What is the distortion of F within V, when F is taken over the generating set {(cr)d, {o~i)d ■ d > 0}, 
and V is taken over the generating set IV U {r^j+i : 1 < i}? 



7 Complexity of F and of the factorization of V 

We saw that in the factorization ip = ir f with ir G IpV and / G F, the table sizes of ir and of / can be 
exponentially larger than the table size of <p. We will now investigate the circuit complexity of ir and 
/, compared to that of <p. We will also show that if / G F then the circuit complexity of f^ 1 is not 
much higher than the circuit complexity of /; in other words, the elements of the Thompson group F 
do not have much computational asymmetry (and in particular, they cannot be one-way functions). 
And we will show that some problems in V are coNP-complete or #"P-complete; in particular, the 
problem of finding the IpV ■ F factorization is #"P-complete. In this section we focus on the Thompson 
groups V and F, but the results could easily be extended to Gk,i and F^^. 

7.1 Circuit complexity and Thompson groups 

Since an element if € V is a partial function mapping bitstrings to bitstrings, it is natural to view ip 
as a boolean function, to be computed by a boolean circuit. However, unless ip G IpV, the inputs and 
the outputs of ip do not have a fixed length. So the traditional concept of a combinational boolean 
circuit cannot be applied directly to elements of V . 

Let (p : P — > Q be a bijection between finite maximal prefix codes P, Q C {0, 1}*, representing an 
element of V. We will use ternary logic over the alphabet {0, 1, _L}, where _L is a new letter used for 
padding bitstrings. Let m is the length of the longest bitstring in P, and let n is the length of the 
longest bitstring in Q. We define <p ± : {0, 1, ±} m — > {0, 1, _L} n as follows: 

ForpeP, <p ± (p± m -\P\) = tp(p) ±"-Iv(p)I. 

For x G {0,l,_L} m - {p±"Hfl : p e P} we let ip^(x) = _L n . 
We will use the notation 

P L = {p _|_ m ~lpl : p E P} = P±* n {0,1, ±} m , where m = max{|p| : p G P}; 

Q ± = {q± n ^:qeQ} = Q±* D {0,1, ±} n , where n = max{|g| : q G Q}. 

We call P- 1 , Q^~, and ip 1 - the padding of P, Q, respectively ip. Note: For p G V = (j2,i, the padding 
is not to be viewed as an element of lpG%^. 

We observe that for the restrictions to P 1 - or to Q 1 - we have (ip~ L \p±)~ 1 = (p _1 )" L |qx; the 
restriction </?" L |p± is bijective (but ip L is not bijective in general). When imC(<£>) = domC(V ; ) we also 
have (ip ( f)~ L = V ; " L 9 9 " L - 

To compute the function ip 1 - : {0, l,_L} m — > {0, l,_L} n we consider ternary-logic combinational 
circuits with gates over the alphabet {0,1, _L}. We assume that a finite, computationally universal 
set of ternary logic gates has been chosen; we ignore the details since they only affect the circuit 
complexity by a constant multiple. We also use the (unbounded) set of wire-swap operations t^+i. 
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For such a circuit, the size of the circuit is defined to be the number of gates together with the 
number of wires (links between gates or between gates and inputs or outputs). Note that a "lowered 
gate" (7)^ (i.e., the gate 7 applied to the wires d + l,d + 2, etc., as defined at the end of Section 5) is 
counted as one gate (independently of d). Also, in a circuit each wire-crossing r^+i will be counted 
as one gate (independently of i). Note that here we are talking about circuit size, not about word 
length. 

Remarks: 

(1) The idea of padding with _L works for the Thompson-Higman group 1 in general, by using 
(^4 U {_L})-valued logic. The gates that we use include the wire-crossings r^i+i. 

(2) In we will follow another, more algebraic, approach for defining circuit complexity of elements 
of V . We embed V into a certain finitely generated partial transformation monoid M acting on 
{0, 1, -L}*, and we take the word-length of tp in M as the circuit complexity of p. We will prove in 
that there are monoids M that, over certain generators, can "simulate" logic gates, and that in such 
monoids word-length is closely related to circuit complexity. 

Since the functions ip : P — ► Q considered here are elements of V, hence bijective, it is natural to 
also introduce bijective {0, 1, ±}-valued circuits. A {0, 1, ±}-valued circuit is said to be bijective iff 
the gates that make up the circuit are the wire-swap operations 17^+1 (i > 1), and a set of gates derived 
from the elements of some fixed finite generating set Ty of V. The latter means, more precisely, that 
the gates derived from Ty are of the form ((7)^) where each 7 is a restriction of an element of Ty. 
Recall that (7)^ (for d > 0) is the lowering of 7 (defined at the end of Section 5). 

In this paper, unless we specifically mention "bijective" or "{0, 1, _L}-valued", the word "circuit" 
will refer to a general boolean circuit (not necessarily bijective). 

Comparison between {0,1, 1-} -valued circuits and boolean (i.e., {0,1} -valued) circuits: 

In the general (not necessarily bijective) case, a {0, 1, _L}- valued circuit can be simulated by a 
traditional binary- logic circuit (e.g., by encoding the ternary values 0,1, _L by the binary strings 
00,11,01 respectively, with 10 also serving as a code for _L). Thus, there is no essential difference 
between general {0, 1, _L}-valued circuits and general boolean circuits. 

However, bijective {0, 1, _L}- valued circuits have greater generality than bijective boolean circuits. 
First, bijective boolean circuits have input-output functions belonging to IpV only; on the other hand, 
input-output functions of bijective {0, 1, _L}-valued circuits are the paddings of all the elements of V. 
Also, the input-output function of a bijective {0, 1, _L}-valued circuit is only bijective as a function 
P 1 - — > Q^~, not as a function {0, 1, _L} m — > {0, 1, X} n , whereas the input-output function of a bijective 
boolean circuit is a permutation of {0, l} m for some m. 

Moreover, even for p £ IpV the smallest size of a bijective {0, 1, _L}-valued circuit computing p is 
the word length of ip over the generators of V (as we shall show in Theorem 17.51 below) . whereas the 
smallest size of a bijective boolean circuit computing <p is the word length of <p over the generators 
of IpV. Thus, we will see that the relation between the two bijective circuit sizes is approximately 
the distortion of IpV within V . Here the generating set of V is Ty U {th+x : 1 < 1} for any finite 
generating set Ty of V, and Ip V is generated by {N, C, T} U {r^j+i : 1 < i} as seen before. Finding the 
distortion of IpV within V is one of our open problems mentioned at the end of Section 6. Theorem 
17.51 below will give a precise connection between the two kinds of bijective circuit sizes, word lengths 
in V or in IpV, and the distortion of IpV in V . 

Definition 7.1 Let T^x be a finite generating set of Gk i, and let w be a word over the generating set 
Tk,i U {Tj 5 j + i : 1 < i} of Gk,\- The length ofw = a\...a n is \w\ = Yl"j=i\ a j\> where \a,j\ = 1 if 
cij G 1 and \aj \ = % + 1 if aj = r^j+i. 
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For <p € Gk,i, the word length of ip over r& i U {ra+i : 1 < i} is the shortest length of any word 
(over the above generators) that represents p. 

Observe that Tj j +1 is counted differently for circuit size than for word length (r i i+ i is counted as 
1 in circuit size but as i + 1 in the word length) . 

The following definition compares bijective padded circuits for elements of IpV with boolean bi- 
jective circuits. Note that in this definition we only consider circuits for computing elements of IpV . 

Definition 7.2 An unpadding cost function from bijective {0, 1, 1.} -valued circuits to bijective binary 
circuits is any function U : N —* N such that the following holds: For all <p G IpV and any bijective 
{0, 1, lS\-valued circuit of size m for ip there exists a bijective binary circuit of size < U(m) for p. 
The unpadding cost function u{.) is the minimum unpadding cost function. 

Definition 7.3 Two functions fi, fi : N — > N are said to be linearly related iff there are constants 
C0)Ci,C2, all > 1, such that for all n > cq: fi(n) < ci f2(c\n) and f2(n) < ^fx^c^n). 

The functions f±, fi are said to be polynomially related iff there are constants cq,ci,C2, all > 1, 
such that for all n > cq: fi(n) < c\ /2(cin Cl ) Cl and f2{n) < C2 f\{c2n C2 ) C2 . 

The following theorem motivates {0, 1, _L}-valued circuits, as well as the concept of word length 
over the generating set Ty U {th+\ : 1 < i} for V. It again motivates our use of the infinite set 
{r^j+i : 1 < i] for generating V, inspite of the fact that V is finitely generated. It also reinforces 
the connection between Thompson groups and bijective ("reversible") computing, seen before. In 
we will generalize Theorem 17.51 to a connection between general circuit size and the word size in the 
"Thompson monoids" (the latter being a generalization of the Thompson-Higman groups to monoids). 
We will only state the Theorem for V and for binary or {0, 1, _L}-valued circuit, although it could easily 
be generalized to Gk,i- First a lemma: 

Lemma 7.4 Let a n ,...,a\ € V be given by table and let I be the length of the longest words in the 
tables of a n , . . . , a±. Then a n , . . . ,a\ have restrictions a n , . . . , cx\, respectively, such that 

• domC(aj + i) = imC(ay) for n > j > 1, and 

• all words in the tables of ay (n > j > 1) have lengths <n£. 

Proof. For <p € V we will describe the table of p as a set of input-output pairs, of the form {(ui,Vi) : 
i = 1, . . . , J}. We also use tables to represent elements of V in non-maximally extended form; we will 
mention explicitly when we assume maximal extension. 

Claim. Let a» € V (for i = 1, . . . ,n) be given by tables {(Xj ,Uj) '■ j = 1, • • • ,r}, not necessarily 

in reduced form. Thus domC(aj) = {xj : j = 1, ... ,r}, and imC(aj) = {y^ : j = 1, ... ,r}. We 
assume that domC(aj+i) = imC(aj) for i = 1, ... ,n — 1 Let t be an upper bound on the length of all 
the words in UILi domC(aj) U imC(aj). For j = 1, . . . ,r, let Sj = {sj^k '■ 1 < k < \Sj\} be a finite 
maximal prefix code over {0, 1}. 

Then oti (for i = 1, ... ,n), defined by the table {(x^Sj^, yjSj^) ■ 1 < j < r, 1 < k < \Sj\}, is a 
restriction of a, satisfying: 

• domC(aj+i) = imC(aj) for n > i > 1, and 

• all words in the tables of on (n > i > 1) have lengths < max{|sj| : 1 < % < r} + 1. 

Proof of the Claim: Since {xj ^ : j = 1, . . . , r} = domC(aj + i) = imC(a,) = {y^ : j = 1, . . . , r}, it 

follows immediately that {Xj Sj,k '■ 1 < 3 < 1 < k < \Sj\} = {y^ sj ± : 1 < j < r, 1 < k < \Sj\}. 
Hence domC(aj + i) = imC(aij). 
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Also, \xj Sjfil < £ + max{|sj| : 1 < i < r} (and similarly for |yj Sj,fc|), hence we have the claimed 
length bound. This proves the Claim. 

Let us now prove Lemma 17.41 by induction on n. The Lemma is obvious when n = 1. Given a, G V 
(for i = n, . . . , 1, with n > 2), we use the Lemma by induction for a n _i, . . . ,a±. So we can assume that 
domC(aj_t_i) = imC(aj) for n — 1 > i > 1, and all words in the tables of Oj (n — 1 > i > 1) have lengths 

< (n — 1)£ Let us denote domC(aj + i) = imC(aj) by Pf, so we have Po — * P\ — ^ ... ^— > P n -2 

On-1 

► "n-1 • 

We consider the product a n • (a n _i . . . ai). We will find a restriction a n of a n , and a restric- 
tion a n _i TTTal of a n _i...ai, such that domC(a„) = imC(a„_i . . . aT). We also want to restrict 
a„_i, . . . , a% to functions a„_i, . . . , ai such that domC(aj + i) = imC(aj) for n — 1 > i > 1. Two cases 
arise: 

Case 1: Every word in P n _i has length > I. 

By the assumptions of Lemma I7.4| every word in the table of a n has length < I. Therefore, all 
we need to do to obtain a n and a n _i, . . . , ai is to restrict a n so that domC(a n ) becomes P n -i- No 
restriction of a„_i . . . a\ is needed, i.e., a, = en for i = n — 1, . . . , 1, and a n _i . . . ai = a n _i . . . ai. 
Hence the longest word in Pq, Pi, ... , P n -\ has length < (n — 1) £. 

The longest word in the table of a n has length < max{|p| : p £ P n -i} + by the Claim (applied 
to a n and a n _i . . . a±). Hence the longest word in the table of a n has length < (n — 1) t + 1 = nt. 
Case 2: Some word in P n ~\ has length < t. 

We restrict a n _i so as to make all words in imC(a n _i) have length > £, as follows. For any 
Uj G Pn—l with \yj\ < £ we consider the finite maximal prefix code Sj = {0, We restrict 
a n _i in such a way that yj is replaced by yj ■ Sj, i.e., P n -\ becomes (P n -i — {Uj}) U j/j • 5j. Note 
that all words in yj ■ Sj have length I. After every word in P n -\ of length < I has been replaced, 
let P n -i be the resulting finite maximal prefix code. Now we apply the Claim in order to restrict 
all of a n -\, ... ,a\. As a result, each on (for % = n — 1, . . . , 1) receives a table with words of length 

< (n — 1) I + max{|s| : s G [Jj Sj} < (n — 1) I + ^ = nt. Note that in these restrictions, the length of 
the words in P n -\ only increases for the very short words (namely, words of length < I are replaced 
by words of length €). Hence, after restriction, the words in P n -\ still have length < (n — 1)1. 

Next we restrict a n , as in case 1. Since after restriction, the words in P n -\ have length < (n — 1) £, 
the longest word in the table of a n has length < (n — 1) £ + £ = n £. □ 

Theorem 7.5 (1) For the elements <p G V, the minimum size of bijective {0,1, J-} -valued circuits 
that compute (p is polynomially related to the word length of (p inV (over Ty U {Tj^+i : 1 < i}). More 
precisely, there are constants c\,C2 > such that s v < c\ \^ v , and Yp\ v < C2S V , where \(p\ v is word 
length of tp G V over Ty U {r^+i : 1 < i}, and s v is the {0, 1, ±}-valued bijective circuit size of p. 

(2) For the elements p G IpV , the minimum size of bijective binary circuits is polynomially related to 
the word length of <p in IpV (over {N,C,T} U {r^j+i : 1 < i}). More precisely, the word length \p\ lpV 
over {N,C,T} U {r^i+i :!<%}, and the binary circuit size b^ of p satisfy: b v < c\ |vlf v ; an d 
I^Lpv — c 2 b<p (for some constants c\,ci > 0). 

(3) The distortion function d(.) of IpV in V (over the generators mentioned above), and the un- 
padding cost function u{.) for bijective {0, 1, ±.}-valued circuits, are polynomially related. More pre- 
cisely, for some constants c,c'>0 and for all x > we have u(x) < c d(cx) 2 and d(x) < d u(d x 2 ). 

Proof. (1) For p G V let s v be the circuit size of <p over T^ 1 U {r^j+i : 1 < i}, let \p\ be the word 
length over Ty 1 U {r^j+i : 1 < i}. 

• Proof that < c\ \p\f (for some constant c\ > 0): Let w = a± . . . a n be a shortest word that 
represents p, where cij G T^ 1 U {r^i+i : 1 < i} for 1 < j < n = \w\ = \p>\. We restrict the generators 
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cij as in Lemma 17.41 so that they can be composed, and a,- will only have bitstrings of length < c\ \<p\ 
in its table. Thus, the word w becomes a {0, 1, _L}-valued circuit consisting of the n = \<p\ operations 
a j (1 < j < ri), and each aj has < c\ \ip\ wires; so the circuit for <p has size < c\ \tp\ \tp\. 

• Proof that \tp\ < C2S V (for some constant C2 > 0): Consider any smallest bijective circuit C 
over Ty l U {t^+i : 1 < i}, of size s v , computing if. This circuit is a sequence (a\ , . . . , a n ) where 
n = \C\ = Sip. Each aj is either of the form Tii+i, or aj is the padding of a restriction of (7)^ with 
d > and 7 € T^ 1 . Hence, the sequence (ai, . . . , a n ) is a word of length s v representing 99. To obtain a 
word over Ty 1 U {Tj^+i : 1 < i} we express the lowering operation in terms of position transpositions, 
as at the end of Section 5; then (7)^ becomes ■K~ 1 jir, where it is the composition of < 2 m position 
transpositions of the form Ti.d+i or rj jTn +j. Here m is the length of the longest word in any of the tables 
for the elements 7 € Ty, since Ty is fixed and finite, m is a constant. A transposition Tj^+i can be 
written as the composition of < 2d transpositions of the form Let ((7^)^ : j = 1, . . . , J) be 

the list of all the lowered gates that occur in the circuit C; then X]/=i 4? ^ l^1> smce f° r each (Tj)cJ,- 
there are d!j wires in C that are output wires of other gates (or that are inputs of C), and that are 
counted as part of the size of C. Thus we obtain a word of length < C2 s« (for some constant C2 > 0), 
representing (p. 

(2) The proof is very similar to the proof of (1). 

(3) By (1) and (2) and by the definition of distortion we have: c ^/b^ < \<p\ l v < d(\tp\ v ) < d(c' s^), 
hence < c" d(c' s^) 2 . Here, c, c', c" are constants. By the definition of the unpadding cost function 
it follows that u(x) < c" d(c' x) 2 . 

Also by (1) and (2) and by the definition of the unpadding cost function we have: c|y|. v < b v < 
u(stp) < u[d |</3|^), hence \<p\ lpV < c" u(c' \<p\y)- Here, c, c',c" are constants. By the definition of 
distortion it follows that d(x) < c" u(c' x 2 ). □ 

Theorem 7.6 Consider any element of the Thompson group F, represented by a bisection f : P — > Q 
that preserves the dictionary order, where P and Q are finite maximal prefix codes. If f can be 
computed by a {0, 1, 1.} -valued circuit of size s then / _1 : Q — > P can be computed by a combinational 
circuit size m(m + 1) s + 0(m 2 n), where m = max{|p| : p E P} and n = m&x{\q\ : q € Q}. 

Moreover, a circuit for / _1 can be found from a circuit for f deterministically in polynomial time 
in terms of s, m, n. 

Proof. Suppose f ± (x-L m ~^) = y± n ~^, and y± n ~^ is given. The idea for inverting f 1 - is simple: 
Since / preserves the dictionary order we can find x_|_ m_ M by adapting the classical binary search 
algorithm. This algorithm is usually used for searching in a sorted array; but it works in a similar way 
for inverting any order-preserving map. 

A few technical details have to be discussed before we give an algorithm for inverting / . For 
many strings z G {0, 1, _L} n there is no inverse image under / ; in that case our inversion algorithm 
will output _L m . For example, z {0, 1}*_L* has no inverse. Also, since the range of /"*" is Q 1 - U {-L n } 
where Q is a finite maximal prefix code we have: If yl_ n ~\y\ has an inverse then there is no inverse 
for any strict prefix of y; i.e., if w E {0,1}* is a strict prefix of y then ?y_|_ n- H has no inverse. On 
the other hand, for every v £ {0, l} n , there exists exactly one prefix y of v such that y_L n ~l y l has an 
inverse. Similarly, for every u E {0, l} m , there exists exactly one prefix x of u such that /^(x_L m- l a: l) 
^ ± n . 

The binary search can be pictured on the complete binary tree with vertex set {0, l}- m , with root 
e (the empty word), and leaves {0, l} m ; the children of a vertex v £ {0, l} <m are vO and vl. The 
search uses a variable vertex v, initialized to e, and proceeds from v to vO or vl, until success, or until 
v becomes a leaf. 
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Algorithm (for inverting / ) 

For any input z £ {0, 1, _L} n it is easy to check whether z {0, 1}*_L*; in that case the output is _L m . 
Assume from now on that the input is of the form yl_ n ' y \ with y € {0, 1}*, \y\ < n. Let v € {0, l}- m 
be a bitstring, initialized to v = £ (the empty string). Below, < d and > d refer to the dictionary order. 

repeat the following until the exit command 
begin 

find the prefix x of v 1 m ~^-~\ v \ (if |^| < 777,) or the prefix x of v (if \v\ = m), such that 

/" L (x_L m ~' x ') 7^ _L n (this is done by trying all prefixes of v 1 O" 1-1- '^ , respectively of v); 
if f- L (xAJ n ~ ]{X \) = y±_ n ~\y\ then return xA- m ~\ x \ as output, and exit; 
if |u| = m then return _L m as output, and exit; 
if /^(x± m_ l a 'l) < d y_\_ n ~\y\ and \v\ < m then replace v by vl; 
else (i.e., when /- L (a?JL m ~' a! l) > d y±_ n ~\y\ and \v\ < m) replace v by vO; 
end (of repeat loop); 

end (of algorithm) . 

Let us show that this program can be implemented by an acyclic circuit of size m(m + l)s + 
0(m?n). The loop of the program is executed at most m times, and each execution of the loop will 
be implemented as one of m stages of the complete circuit. 

Each execution of the loop takes at most (m + l)s + 0(mn) gates. 

The first part of the loop (namely, to "find the prefix x") requires m copies of the circuit of / , 
each of which is followed by 0(n) gates to check equality with _L n , followed by a tree of n AND-gates. 
Moreover, recall that when we want to apply the same type of gate to different variables (wires) we 
need to permute wires (using bit position transpositions Tij). Similarly, permutations may need to 
be applied to the output wires of a gate. This adds at most a constant number of operations for each 
gate. So the first part of the loop uses ms + 0(mn) gates. 

The first if condition requires another copy of the circuit of / , followed by 0(n) gates to compare 
the result with yj_ n ~\y\ for equality and to check for < d or > d in the dictionary order. The < ,- or > d - 
comparison of two strings of the same length can be done by a finite automaton, reading both strings 
in parallel from left to right; if the inputs are restricted to strings of length n, this automaton can 
then be turned into a prefix circuit (of Ladner and Fischer ^Hl)- The Ladner-Fischer circuit consists 
of < An copies of a gate that implements the (fixed) transition function of the finite automaton. The 
prefix circuit uses fan-out < n; however, there is also a bounded- fan-out design for the prefix circuit, 
using just < 9n gates (see p. 205 of ^H])- Moreover, applying the same gate to different variables 
first requires some permutations of wires; this introduces a constant factor (since gates have a fixed 
number of input-output wires, so only a fixed number of wires are permuted back and forth). Checking 
whether \v\ = m is equivalent to checking absence of _L, which requires 0(n) gates. So overall the 
if-statements require s + 0(n) gates. 

Finally, the above description amounts to a polynomial-time procedure for producing the circuit 
that implements (/ J ") — 1 . d 

As a consequence, (/^) _1 is not much harder to compute than / itself. So, without need to 
define the concept of a one-way function in detail we can conclude that for any reasonable definition 
of "one-way function" we have: 

Corollary 7.7 The Thompson group F does not contain any one-way functions. 

Recall that in our algorithm for finding the IpV ■ F factorization of (p G V, the element (p is first 
restricted so as to make imC(y>) = {0, l} n . We will show next that this restriction does not increase 
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circuit complexity much, and that we can find a circuit for certain restrictions. On the other hand, we 
saw in Theorem 17, 12f 3) that the opposite operation, namely finding the maximal extension, is hard. 

Lemma 7.8 Every <p £ V has a restriction $ such that imC(<I ) ) = {0,1}™, and such that the circuit 
size of <J> is only polynomially larger than the circuit size of (p. 

More precisely, assume ip 1 - has a circuit of size s, with m input variables and n output variables 
(over {0, 1, _L} ). Then the restriction with imC(<3?) = {0, l} n has a circuit of size < 4s (n + m + 1), 
with n + m input variables and n output variables. Moreover, such a circuit for <I>- L can be found from 
the given circuit for if 1 - deterministically in polynomial time (as a function of s,m,n); i.e., there is 
a polynomial-time reduction from the problem of finding a circuit for <I> to the problem of finding a 
circuit for <p (for {0, 1, lS\-valued circuits). 

Proof. We can view <p as a bijection P — > Q where P, Q C {0, 1}* are finite maximal prefix codes. 
Since the circuit for if 1 - has n output variables, we have n = max{|y| : y £ Q}. Let $ : Pi — > {0, l} n 
be the restriction of ip with image code {0, l} n , where Pi is the finite maximal prefix code obtained 
when cp is restricted to make the image code {0, l} n . Let m = max{|x| : x £ P}. Thus, all words in 
the finite maximal prefix code Pi have length < n + m. We now construct a {0, 1, _L}-valued circuit 
for with n + m input variables and n output variables. On an input x £ {0, 1, _|_} ra + m the circuit 
behaves as follows: 

• If x $ {0, 1}*_L*, the output is $(x) = _L n . 

To check whether x ^ {0, 1}*_L* we consider all n + m — 1 pairs (xj, Xj_)_i) of neighboring input 
variables (for i = 1, . . . ,n + m — 1) and check whether any of them have values (xj, Xj+i) = (_L, 0) or 
= (_L, 1), using n + m — 1 gates. To produce the output _L n in that case, the n + m — 1 gates above 
feed into a tree of OR gates whose output is 1 iff (_L, 0) or (_L, 1) occurs anywhere in input pairs. The 
OR-tree and the output _L n require < 2(n + m) gates. Thus so far we have < 3(n + m) gates in total. 

• If x € {0, 1}*_L*, since < ^ _L has m + n input wires, we write x = u _L* with u £ {0, i} n + m ~*. "We look 
at each prefix p of u = pz, in order of increasing length \p\ = 0, 1, . . . , m + n — i, and feed p l_ m ~lpl into 
^. 

- If (p^ip ± m_ l p l) = _L n , we ignore p and look at the next prefix of u. 

- If p ± (p _|_ m ~H) = q _|_ m- kl for some q £ {0, 1}*, we conclude that p(p) = q and p(u) = <p(pz) = qz. 
Hence, if \z\ = n — \q\ we produce the output $(n± 4 ) = qz £ {0, l} n ; so $ agrees with <p and has 
imC(<]?) = {0, l} n . If \z\ ^ n — \q\ we produce the output _L J ) = _L n . (No new prefixes of u will be 
considered.) 

In the above construction, the circuit of tp 1 - is repeated m + n + 1 times, since an input of length 
m + n has < m + n + 1 prefixes. So this part of the circuit has size s (m + n + 1). We need another 
3n (m + n + 1) gates to combine the outputs of the (m + n + 1) copies of the (/^-circuit: If one of the 
(^-circuits produces an output in {0, l} n , that output has to be the final output; if all the copies of 
the ip -circuit produce _L n , then _L n should be the final output. 

Finally, the total circuit for <I>^ has size < 3(n + m) + s (m + n + 1) + 3n (m + n + 1) < (s + 
3n + 3)(m + n + 1) < 4s (m + n + 1) (the last "<" holds since s > m + n and m,n > 1). The above 
description of the construction of a circuit for $> is a deterministic algorithm whose running time is 
a polynomial in s. □ 

An immediate consequence if Lemma 17.81 is the following: 

Corollary 7.9 Assume f £ F has a {0, 1, lS\-valued circuit of size < s, with m input variables and n 
output variables. Then the restriction of f with imC(/) = {0, l} n ; i.e., the restriction of f that makes 
f a rank function rankp(.), has a {0, 1, lS\-valued circuit of size < 4s (m + n + 1). 
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In other words, representing elements of F by rank functions does not lead to a large increase in circuit 
complexity. 

Proposition 7.10 Let p be an element of the Thompson group V , and let p = ir ■ f be its IpV ■ F 

factorization. Let ip : P —* {0, l} n be a representation of p by a bijection from a finite maximal prefix 
code P C {0, l}- m onto {0, l} n . Suppose that the rank function of P can be computed by a circuit of 
size < s. 

Then f has circuit complexity < s, and the circuit complexities of p and of ir differ by at most 
m{m + 1) s + 0{m 2 n). The circuit complexities of p^ 1 and ir~ l differ by at most s. 
Moreover, the circuits for f and ir can be found in deterministic polynomial time. 

Proof. We apply our IpV ■ F factorization algorithm. Since (p already has imC(c^) = {0, l} n , we have 
/ = rankp(.), and hence by assumption, / has circuit complexity < s. 

To obtain a circuit for ir = p f^ 1 we use Theorem 17.61 to obtain a circuit for / _1 of size < 
m(m + 1) s + 0(m 2 n), where m = max{|p| : p £ P}; then we compose the circuit for / _1 with the 
circuit for p. 

To obtain a circuit for p> = ir ■ f from a circuit for ir we just compose the circuit for / and the 
circuit for ir. □ 

A consequence of Proposition 17.101 is the following. If an element of V has a representation 
ip : P — > {0, l} n (for some n > 0), and if P is a finite maximal prefix code with easy rank function, 
then tp and of ir have similar circuit complexities; p^ 1 and ir^ 1 also have similar circuit complexities. 
Thus we have: 

Corollary 7.11 If there exists a one-way bijection <p : P — > {0, l} n (for some n > 0), where P is 
a finite maximal prefix code with easy rank function, then there exists a one-way permutation ir of 
{0,l} n - 

7.2 coNP-complete and ^"P-complete problems in the Thompson groups 

The following coNP-completeness results are similar to the well-known coNP-completeness of questions 
about circuits, except that here we deal with circuits that compute bijections, in the sense defined at 
the beginning of this section. 

Theorem 7.12 The following decision problems are coNP-complete: 

(1) Given two {0,1, J-} -valued bijective circuits, do they compute the same element ofV? 

(2) Given two {0,1, A-} -valued bijective circuits for computing elements ip,p £ V, is ip the maximal 
extension of ip? 

(3) Given a {0,1, -L} -valued bijective circuit, does it compute the identity element ofV? 

The problems remain coNP-complete when the given {0, 1, l-}-valued circuits are general (not nec- 
essarily bijective). 

Proof. Let us first check that these problems are in coNP. Problems (1), (3) and (4) are variants of 
the classical circuit equivalence problem. For problem (2), we can check in coNP whether ip and p 
represent the same element of V. To check in NP whether ip is not maximally extended, guess entries 
(xO, yO), (xl, yl) in the table of ip; the lengths of x and y are no larger than the size of the given circuit 
for ip, and the fact that (xO, yO) and (xl, yl) are in the table of ip can be checked rapidly using the 
circuit for ip. 

Hardness: Problem (3) is a special case of (2) and of (1) (letting ip be the identity map with 
domain and image codes consisting of just the empty word), so (2) and (1) are at least as hard as (3). 
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The hardness of (3) is a consequence of the fact that the word problem of G31 over the generating set 
r^iU {t{j : 1 < i < j} is coNP-complete (proved in [3]), and the fact (proved in Theorem 17.5(1 that 
every word over ^iLl {Tjj : 1 < i < j} has a {0, 1, _L}- valued circuit whose size is linearly bounded 
by the size of the word. □ 

Proposition 17. 101 shows that under certain conditions the IpV ■ F factorization is easy to find. The 
next Theorems show that in general, finding the IpV ■ F factorization is #"P-hard, even when circuits 
for the rank functions of the domain code and image code are given. 

To define the class #V we consider functions of the form / : A* — > {0, 1}*, where A is a finite 
alphabet, and elements of {0, 1}* are interpreted as non-negative integers in binary representation. 
Intuitively, for a function / in #V and for x G A*, f(x) is the number of ways a relation that is 
parameterized by x can be satisfied. More precisely we will use the following definition of the #V; see 

e.g. m 

Definition 7.13 A function f : A* — > {0, 1}* is in #V iff there is a relation R C A* x B* (where 
B is a finite alphabet) such that 

(1) for all x G ^4*: f(x) = \{w £ B* : (x,w) G R}\, with f{x) G {0, 1}* interpreted as an integer; 

(2) R is inV (deterministic polynomial time); 

(3) R is polynomially balanced (also called "polynomially honest"); i.e., there is a polynomial p{.) such 
that for all (x,w) G R, \x\ < p(\w\) and \w\ < p(\x\). 

Theorem 7.14 (Ranking problem for finite maximal prefix codes) 

The following problem is j^V-complete. 

Input: A {0, 1, lS\-valued circuit that accepts a finite maximal prefix code P C {0, 1}*, and x G P. 
Output: The rank of x in P according to dictionary order. 

Proof. The problem is clearly in j^-V since rankp(x) is the number of words w G B* (here B = {0, 1}) 
satisfying the relation a w G P and w <d x" . Moreover, the prefix code P is given by a circuit, whose 
size is counted as part of the input size of the problem, so the relation "w G P and w <^ x" can be 
verified in deterministic polynomial time. 

Next, we will reduce the ^P-complete problem #SAT to our problem. For a boolean formula 
f3(xi, . . . ,x n ) with n boolean variables, let T C {0, l} n be the set of truth- value assignments that 
make [3 true. Although T is a finite prefix code, T is not maximal, and the cardinality \T\ is not 
necessarily a power of 2; however, finding \T\, given /?, is precisely the ^P-complete problem #SAT. 
We will use T to construct a finite maximal prefix code P (with \P\ a power of 2), whose ranking 
function determines \T\. We use the notation T = {0, l} n — T. Let 

P T = 00T U 00T0 U 00T1 U 01 {0, l} n U IT U 1T0 U 1T1. 

Then Pt is a finite maximal prefix code of cardinality \Pt\ = 2 n+2 . Membership in Pt is easily decided 
by the formula (3. 

Finally, \T\ is easily derived from the rank of 001™ or of 001 n l in Pt- Indeed, if l n G T then 
rankp T (001 n ) + 1 = |T| • 2 + \T\ = |T[ + 2 n ; if l n G T then rankp T (001 n l) + 1 = |T| + 2 n . Hence, \T\ 
can easily be obtained from rankp T (01") or rankp T (01"l); the numbers are written in binary, so the 
representation of 2 n is not large. □ 

Theorem 7.15 (IpV ■ F factorization problem, given $ : P — > {0, l} n ) 
The following problem is jfV-complete. 

Input: A {0, 1, ±.}-valued circuit that computes a bisection <3? : P — > {0, l} n (where P is a finite maximal 
prefix code over {0, 1} ), and x G P. 
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Output: The rank of x in P according to dictionary order. (Recall that rankp(.) is the F-part in the 
IpV ■ F factorization of $ J 

The problem remains jf-V '-complete if we assume that circuits for both <3? and 3> _1 are given. Also, 
evaluating it or ir^ 1 is $T> -complete (where $(.) = vr/(.) is the IpV ■ F factorization) . 

Proof: The problem is in f^V because the circuit for $ can also be used to test membership in P. To 
show ^P-hardness, let Pt be as in Theorem 17.141 above, where T C {0, l} n is the set of truth value 
assignments that make a given boolean formula (3 true; again, T denotes {0, l} n — T. 

P T = OOT U 00T0 U 00T1 U 01 {0, l} n U IT U 1T0 U 1T1. 

Let : Pt — > {0, l} n + 2 be the bijection defined as follows for all x G {0, l} n : 
OOx G 00T i — ► llx G 11T 
00x0 G 00T0 i — ► 0x0 G 0T0 
00x1 G 00T1 i — ► 0x1 G 0T1 
01xG01{0, l} n i — ► 10xGl0{0,l} n 
1x0 G 1T0 i — ► 0x0 G 0T0 
lxl G 1T1 i — ► 0x1 G 0T1 
lx G IT i — ► llx G 11T. 

Clearly $ and < I )_1 can easily be computed from the boolean formula f3, and they have small circuits 
that can be derived from the boolean formula (3. 

Let $ = 7r / be the IpV ■ F factorization of then / = rankp T (.). We saw in Theorem 17. 141 above 
that evaluating rankp T (.) is a ^P-complete problem. Thus by the reduction of / to f~ l in Theorem 
17.61 the problem of computing / _1 is also ^P-complete. 

To show that the evaluations of ir and 7r _1 are ^P-hard, note that / = 7r _1 $ and f~ l = $^ 1 7r; 
since $ and <& -1 are easy to evaluate, this reduces the ^P-complete evaluation problems for / and 
/ _1 to the evaluation of vr" 1 , respectively n. □ 

The above Theorem means that ranking in Pj- according to the dictionary order is hard, but there 
may exist another bijection Pt — ► {0, l} n , namely which provides an easy ranking in Pt- 

Theorem 7.16 (IpV ■ F factorization, given tp : Pq — > Qq, rankp (.) and rankg (.)) 

The following problem is ^V-complete. 
Input, consisting of three parts: 

• A {0, 1, -L}-valued circuit that computes a bijection ip : Pq — > Qq (where Pq and Qq are finite maximal 
prefix codes over {0, 1}), 

• two {0,1, A..} -valued circuits that compute the rank functions of Pq, respectively Qq, 

• and x £ Pi (where P\ is the domain code that p receives when it is restricted so as to have imC(p) 
= {0, 1}™, where n = max{|g| : q G Qq})- 

Output: The rank of x in P\ according to dictionary order. 

The problems remains f^V ' -complete if we assume that circuits for both tp and p~ l are given. 
Also, evaluating 7r or ir^ 1 is j^-V-complete (where p = it f be the IpV ■ F factorization). 

Proof: The problem is in j^V because the circuit for p can also be used to obtain a circuit for the 
restriction Pi — > {0, l} n of p, by Lemma 17.81 this circuit can then be used to test membership in P\. 
To show #P-hardness, let T and Pt be as in the proofs of Theorems 17. 141 and 17.161 Let 

Pq = {00,01,1} • {0, l} n = OOT U 00T U 01 {0,1}" U IT U IT, 
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Qo = {o, 10, 11} • {o,i} n = or u or u io{o, i} n u nr u nr, 

and define tp : Pq — > Qo by 
OOx G OOT i — ► llx e llT 
OOx G OOT i — ► Ox G OT 
01xG01{0, l} n i — ► 10xGlO{0,l} n 
lx G IT i — > Ox G OT. 

lx g ir i — ► lix g nr 

Then <p, rankp (.), and rankg (.), and their inverses have small circuits, that are easily derived from 
the boolean formula (3. 

Next, we restrict <p in such a way that its image code becomes {0, l} n+2 . The resulting bijection 
is exactly the bijection <3? : Pt — > {0, l} n + 2 of the proof of Theorem 17.151 All the claimed conclusions 
of Theorem 17.161 now follow from Theorem 17.151 □ 

The above ^^-completeness results imply that finding circuits for the IpV ■ F factors 7r, / of tp 6 V 
is difficult (if V ^ NP, etc.). However, whether this implies that the factors require large circuits 
remains a very difficult open problem. 
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